After five failed password attempts an account is locked for fifteen minutes. Disabled users cannot authenticate. Authorization remains separate from authentication: Studio resolves role assignments and typed permissions from MySQL on the server for every protected operation.
#First-run bootstrap
Hosted first-run setup requires the secret-backed bootstrap token and creates the first local credential and administrator role assignment transactionally. Loopback-only Local Mode may use the explicit local bypass and never exposes a bootstrap token to the browser.
#Administrator safety
User creation, role assignment, and disabling or deletion are audited. Server-side continuity checks prevent removal or disabling of the last effective identity and role-management administrator.